From ebf508e4d7635bd3f29419429c479a7313bb9e69 Mon Sep 17 00:00:00 2001
From: Andrew Ayer <andrew@sslmate.com>
Date: Fri, 12 Dec 2025 10:09:22 -0500
Subject: [PATCH] Add FormatCheckpoint

---
 cttypes/checkpoint.go      | 15 +++++++++++++++
 cttypes/checkpoint_test.go | 24 ++++++++++++++++++++++++
 2 files changed, 39 insertions(+)

diff --git a/cttypes/checkpoint.go b/cttypes/checkpoint.go
index 2ec47be..868457b 100644
--- a/cttypes/checkpoint.go
+++ b/cttypes/checkpoint.go
@@ -110,3 +110,18 @@ func ParseCheckpoint(input []byte, logID LogID) (*SignedTreeHead, error) {
 		}, nil
 	}
 }
+
+func FormatCheckpoint(sth *SignedTreeHead, origin string, logID LogID) []byte {
+	keyID := makeCheckpointKeyID(origin, logID)
+	signature := keyID[:]
+	signature = binary.BigEndian.AppendUint64(signature, sth.Timestamp)
+	signature = append(signature, sth.Signature.Bytes()...)
+
+	buf := new(bytes.Buffer)
+	fmt.Fprintln(buf, origin)
+	fmt.Fprintln(buf, sth.TreeSize)
+	fmt.Fprintln(buf, sth.RootHash.Base64String())
+	fmt.Fprintln(buf)
+	fmt.Fprintf(buf, "\u2014 %s %s\n", origin, base64.StdEncoding.EncodeToString(signature))
+	return buf.Bytes()
+}
diff --git a/cttypes/checkpoint_test.go b/cttypes/checkpoint_test.go
index 5e4f475..1f9a286 100644
--- a/cttypes/checkpoint_test.go
+++ b/cttypes/checkpoint_test.go
@@ -87,3 +87,27 @@ func TestParseCheckpointFailure(t *testing.T) {
 		}
 	}
 }
+
+func TestFormatCheckpoint(t *testing.T) {
+	origin := "sycamore.ct.letsencrypt.org/2024h2"
+	logID := LogID{0x49, 0x4d, 0x90, 0x49, 0xb8, 0xaf, 0x3e, 0x5a, 0xca, 0xba, 0x99, 0x3e, 0x4c, 0x1f, 0x30, 0x56, 0x73, 0x7a, 0xa9, 0xf9, 0x6d, 0x00, 0xf7, 0xb0, 0xb9, 0xb2, 0x51, 0x06, 0xf7, 0xbe, 0x1a, 0x8f}
+	sth := SignedTreeHead{
+		TreeSize:  820495916,
+		Timestamp: 1719511711300,
+		RootHash:  [...]byte{0xc0, 0x3a, 0x6b, 0xe9, 0xf1, 0x1d, 0xc9, 0xcc, 0x20, 0x89, 0xe4, 0x45, 0xa7, 0x3f, 0x61, 0x41, 0xee, 0x82, 0xe8, 0x0d, 0x2d, 0x83, 0xa2, 0xb6, 0x65, 0x53, 0xd4, 0x96, 0xd7, 0x1e, 0xd2, 0x12},
+		Signature: tlstypes.DigitallySigned{
+			Algorithm: tlstypes.SignatureAndHashAlgorithm{
+				Hash:      tlstypes.SHA256,
+				Signature: tlstypes.ECDSA,
+			},
+			Signature: []byte{0x30, 0x46, 0x02, 0x21, 0x00, 0xd0, 0x0d, 0x31, 0x91, 0x50, 0x80, 0x62, 0xfa, 0xb0, 0xf9, 0xf7, 0x63, 0x61, 0x78, 0x95, 0x2b, 0x9c, 0x19, 0x22, 0x3a, 0x1d, 0x08, 0xc5, 0x68, 0x0e, 0xd0, 0x8b, 0x3b, 0x79, 0x18, 0x88, 0x86, 0x02, 0x21, 0x00, 0xd5, 0x74, 0xae, 0x8c, 0x1d, 0x1d, 0x7a, 0x4e, 0x80, 0x6c, 0x36, 0x46, 0x81, 0xb4, 0x7c, 0x91, 0x78, 0xc0, 0x3f, 0xdc, 0xc0, 0xab, 0xa5, 0x90, 0x40, 0x8d, 0x0e, 0xf6, 0x2c, 0x83, 0xa9, 0x34},
+		},
+	}
+
+	expected := "sycamore.ct.letsencrypt.org/2024h2\n820495916\nwDpr6fEdycwgieRFpz9hQe6C6A0tg6K2ZVPUltce0hI=\n\n\u2014 sycamore.ct.letsencrypt.org/2024h2 PdkIagAAAZBa4n5EBAMASDBGAiEA0A0xkVCAYvqw+fdjYXiVK5wZIjodCMVoDtCLO3kYiIYCIQDVdK6MHR16ToBsNkaBtHyReMA/3MCrpZBAjQ72LIOpNA==\n"
+
+	got := FormatCheckpoint(&sth, origin, logID)
+	if string(got) != expected {
+		t.Errorf("expected %q, got %q", expected, got)
+	}
+}